after my site has been up and running for a while, I suddenly have a problem with my users loging into it.
- I have protected certain views with the login_required decorator.
- When an anonymous user hits that page, he is redirected to the login page.
- When this anonymous user adds its credentials, the POST request is successful and he is redirected to the inital page.
- However, the login_required decoractor kicks in again and redirects him to the login page, because Django thinks, the user is not logged in.
I am running Django 1.6 on Ubuntu with Apache and mod_wsgi in daemon mode behind SSL and I am using the Session database backend. I am using django-allauth.account for account management/login. My Session settings are like this:
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_AGE = 60*60*24
SESSION_COOKIE_SECURE = True
Since I assumed that there is an issue with sessions, I did the following:
a. I checked the sessionid cookie, which was for example: 1parpvj07b77rtxueo6981z3xoshnpx4
b. s = Session.objects.get(session_key='1parpvj07b77rtxueo6981z3xoshnpx4')
c. And s.get_decoded() gave me back {}, which would explain why Django thinks, the user must login first.
d. Then I found this gist: https://gist.github.com/glarrain/3982485. Trying this, gave me the following: {'_auth_user_id': 330619L, '_auth_user_backend': 'django.contrib.auth.backends.ModelBackend', u'_session_expiry': 0}
Any help is highly appreciated, this is a production site.
UPDATE I have just realized that the behavior is not consistent:
a. After login Django sometimes recognizes me as logged in user, sometimes it redirects me to the Login Page. Even if I do not login, but continue to click other pages, suddenly I am recognized again; the session_id in the browser cookie is consistent.
b. On our test server, that uses the production settings, I cannot reproduce this issue. The only difference between production and test is, that the load is significantly higher and we do load balancing.
Could I have a threading issue? Though I could not imagine, where this should origin from.
If your d. option works good (i mean gist), i think you have some problems with session data signing.
take a look into gist
https://gist.github.com/glarrain/3982485#file-gistfile1-py-L19
They split hash and data part. I think session classes check this hash and give you empty dict because hash is broken by some reason.
Why is broken? need to check more deep.
Maybe cookie write with one salt and reads with different. This can corrupt session data.
Just checked django code. Take a look into lines https://github.com/django/django/blob/master/django/contrib/sessions/backends/base.py#L83
They really check session data for corruption and allow to load session data only with stored it class object (as salt is used session backend name).
Maybe your classes use one session instance to write and other to read. This makes you session break.